I needed a way to inspect HTTPS traffic on my home network. Some dodgy browsing going on and i wanted to see it all, HTTPS included. Solution? Setup a squid proxy with ssl-bump configured to handle HTTPS.

I’m a linux guy so my windows admin is meh, setting up a traditionally unix-based service on my windows server 2012 was a bit of a mission. But here are my notes from getting it (as far as i can tell) working.

disclaimer: you can follow all these steps on the wiki but just as i wished someone had written some of the documentation a little bit clearer, so i leave this here

Errors when restarting Squid?!

When restarting for first time with the ssl settings enabled in your squid.conf you’re going to run into a few errors.
in /var/log/cache.log you’ll see this:
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".

and squid will finally crash out with this (you’ll see this error in EventViewer as well):
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

The Fix!

As you can see from the error message, we need to initialize our ssl cer db directory with run "ssl_crtd -c -s /var/lib/ssl_db".

now, open a ‘Squid Terminal’ from your desktop shortcut in Windows Server 2012 and navigate to where the ‘ssl_crtd.exe’ program is (e.g. for me, C:\Squid-3.5\lib\squid)

and run:

C:\Squid-3.5\lib\squid\ssl_crtd.exe -c -s C:\Squid-3.5\var\lib\ssl_db

key thing to note here:

the dir ‘ssl_db’ must NOT ALREADY EXIST. (or else you’re going to have a very bad time)

Don’t be a dumbass like me and follow the error message ssl_crtd: Cannot create blah blah into a vortex of online forums about it that point to “squid with cygwin is broken and therefore can never do ssl bumping for https traffic”.

Success! (finally)

Restart Squid service (again)

If your install and configuration was successful, check logfile /var/log/cache.log, and it should look like this: